Microsoft Services 



Introduction to BitLocker FVE 

(Understanding the Steps Required to enable BitLocker) 

Exploration of Windows 7 
Advanced Forensic Topics - Day 3 
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What is BitLocker? 



BitLocker Drive Encryption is a full disk encryption 
feature included with Microsoft's Windows Vista 
Ultimate, Windows Vista Enterprise, Windows Server 
2008, Windows 7 Ultimate, and Windows 7 Enterprise 
operating systems designed to protect data by providing 
encryption for entire volumes. By default it uses the 
AES encryption algorithm with a 128 bit key, combined 
with a diffuser for additional disk encryption specific 
security not provided by AES. 
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Why Bitlocker Exists 



"Some of the largest and medium-sized U.S. 
airports report close to 637,000 laptops lost 
each year, according to the Ponemon Institute 
survey released Monday" 
-PC World June 2008 



"More than 100 USB memory sticks, some 
containing secret information, have been lost or 
stolen from the Ministry of Defense since 2004, 
it has emerged." 
BBC News Julv 2008 
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BitLocker Requirements 

• Windows 7 Enterprise or Ultimate 

• TPM Chip version 1 .2 or later (and/or) a BIOS 
capable of reading USB devices pre-boot 
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BitLocker Requirements 



• BitLocker Installation 

-Operating System Installation 

-OPTIONAL: If not using TPM, edit Group 
Policy to allow USB key storage 

-Enabling of BitLocker and Volume Encryption 
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Enabling OS BitLocker via USB 

Key 




Enabling BitLocker - OS 



► Control Panel ► All Control Panel Items ► 



Adjust your computer's settings 

Action Center 
Backup and Restore 
Credential Manager 
Desktop Gadgets 
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j j^j Administrative Tools AutoPlay 




BitLocker Drive Encryption 



ilfi"! Date and Time 




h ^P Device Manager 





Color Management 



ffl Default Programs 



Ji Devices and Printers 



Enabling BitLocker - OS 




Control Panel Home 



0 



Help protect your files and folders by encrypting your drives 

BitLocker Drive Encryption help: prevent unauthorized access to any files stored on the drives shown below. 
You are able to use the computer normally,, but unauthorized users cannot read or use your files. 

What should I know about BitLocker Drive Encryption before I turn it on? 
BitLocker Drive Encryption - Hard Disk Drives 




Off 



C: 





BitLocker Drive Encryption - BitLocker To Go 
LOCKER [DO 
>J Off 



Turn On BitLocker 



See al:o 




TPM Administration 

Disk Management 

Read our privacy statement 
online 




Enabling BitLocker - OS 
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! 



■ ■■ BitLo cker D rive Encryption (C:J 

Starling BitLocker 

Please wart while BitLocker initializes the drive. 





A compatible Trusted Platform Module (TPMJ Security Device must be 
present on this computer, but a TPrVl was not found, Please contact 
>ur system ad m in istrator to enable EitLcclcef. 



What are BitLocker' e system requirements? 



Enabling BitLocker - OS 



Execute: gpedit.msc 

Navigate: Computer Configuration\Administrative TemplatesWVindows 
Components 



LocaJ Group Policy Editor 



[ ■=. | m 



File Action View Help 



^ I ti BBI & I B nl w 



[> L_i System 

j Qj Windows Component: 

ActiveX Install er Ser.-i c e 
r~1 Application Compatibility 
AutoPlay Policies 
l> J Backup 

^Ji i ■ ^ 

j BitLocker Drive Encrvpticja ? 
_ Fixed Data Drives 
~~1 Operating System Drives 
r J | Removable Data Drives 
l3 Credential User Interface 
Desktop Gadget: 
t- Hj Desktop Window Manager 
~~i Digital Locker 
" i Event Forwarding 
t- ZlJ Event Log Service 
~'~l Event Viewer 
~~1 Game Explorer 
" i HomeGroup 
t ~1J Internet Explorer 

"~"l Intern et Info rrn ati o n Servi c es 
~~l Location and Sensor: 
■ '"1 NetMeeting 
rrr I ► 




Require additional authentication at 
startup 



Edit policy setting 

Requirements: 
Wi n d o ws 7 f a m i ly 

Description: 

This policy setting allows you to 
configure whether BitLocker 
require: additional authentication 
each time the computer starts and 
whether you are using BitLocker 
with or without a Trusted Platform 
Module (TPMJ. This policy setting 
is applied when you turn on 
BitLocker. 

Note: Only one of the additional 
authentication options can be 
required at startup, otherwise a 
policy error occurs. 

If you want to use BitLocker on a 
corn outer without a TPM. select 



tate 



Require additional authentication at startup 



Wot conf toure* 4 



] Require a d d iti o na^uTnTfTTrcaTranTPSran^^WHTOws^efveTT Not configured 

J Allow enhanced PINs for startup Not configured 

j Configure minimum PIN length for startup Not configured 

j Choose how BitLocker-protected operating system drives ca... Not configured 

C o nf i g u re TP M p I atf o rm va I i d ati o n p rof i I e N ot c o nf i g u red 



\ Extended ^Standard / 



6 settingfs] 



Enabling BitLocker - OS 



3|- Require additional authentication at startup 



Require additional authentication at startup 



Next Setting 



Not Configured 
o Enabled 
Disabled 



Comment: 



Supported cn: windows 7 family 



Options: 




V] Allow BitLocker without a compatible TP M 



(requires a startup key on a USB ^lath drive) 
Setti n g s for c om puters w ith a TP M : 
Conf i g u re TP M sta rtu p: Al I ow TP M 




Configure TP M startup PIN: 
Configure TP M startup key: 



Allow startup PIN with TPM 



Allow startup key with TPM 



Configure TPM startup key and PIN: 



Allow startup key and PIN with TPM 



Help: 



Thi: policy setting allows you to configure whether BitLocker requires additional authentication each 
time the computer starts and whether you are using BitLocker with or without a Trusted Platform 
Module (TPM). Thi: policy setting is applied when you turn on BitLocker. 

Note: Only one of the additional authentication options can be required at startup, otherwise a policy 
error occurs. 

If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a 
compatible TPM" check box. In this mode a USB drive i: required for :tart-up and the key 
information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB 
key is inserted the access to the drive is authenticated and the drive is acce::ible. If the USB key is lost 
or unavailable you will need to use one of the BitLocker recovery options to access the drive. 

On a computer with a compatible TPM,. four types of authentication methods can be used at startup 
to provide added protection for encrypted data. When the computer starts, it can use only the TPM 
for authentication, or it can also require insertion of a USB flash drive containing a startup key, the 



OK 




Cancel 




Apply 







Enabling BitLocker - OS 




Control Panel Home 



0 



Help protect your files and folders by encrypting your drives 

BitLocker Drive Encryption help: prevent unauthorized access to any files stored on the drives shown below. 
You are able to use the computer normally,, but unauthorized users cannot read or use your files. 

What should I know about BitLocker Drive Encryption before I turn it on? 
BitLocker Drive Encryption - Hard Disk Drives 




Off 



C: 





BitLocker Drive Encryption - BitLocker To Go 
LOCKER [DO 
>J Off 



Turn On BitLocker 



See al:o 




TPM Administration 

Disk Management 

Read our privacy statement 
online 




Enabling BitLocker - OS 



BitLocker Drive Encryption [G] 



Checking your computer's configuration 

BitLocker is verifying that your computer meets it:- system requirement:. Thi: might take a few minutes. 
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Enabling BitLocker - OS 



^ BitLocker Drive Encryption [C:] 




Set BitLocker startup preferences 

This computer does not appear to have a TPM. To use BitLocker Drive Encryption,, a startup key on a USB 
flash drive will be required every time you start the computer. 

■£> Use BitLocker without additional keys 
<£> Require a PIN at every startup 




Some settings are managed by your system administrator. 



What is a BitLocker Drive Encryption startup key or PIN? 



Cancel 
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Enabling BitLocker - OS 
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Enabling BitLocker - OS 




Save Biti/^l-pr Rprn',rpnj Kp<\t ^ 





g«p Print 



BitLocker Recovery Key IDS B346E-B8C4-47ai-A6CD-FAE077F69A46.txt - Notepad 




File Edit Format View Help 



BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected c s 
To verify that this is the correct recovery key compare the identification with what is presented on the recover 
Recovery key identification: 1D8B346E-B8C4-47 

Full recovery key identification: 1O8B346E-B8C4-4781-A6CD-FAE077F69A46 
BitLocker Recovery Key: 

045133-611842-097515-070279-679723-407099-551298-014080 



rn 



* HicleFckler: 
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Enabling BitLocker - OS 



BitLocker Drive Encryption £G) 



Are you ready to encrypt this drive? 

The selected drive is C: 

You can keep working while the drive i: being encrypted. Your computer's performance will be affected 
and free space will be used by BitLocker during encryption. 



^JSlEun 



7] Run BitLocker system check 



TTit: sy sLtfi 1 1 lI iCLk Will ensure that BitLocker can read the recovery and encryption keys correctly before 
encrypting the drive. 

BitLocker will restart your computer to test the system before encrypting. 

Note: This check can take some time but is recommended because there is a risk that you might need 
to- enter the recovery key to unlock the drive. 



Continue 



Cancel 
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« All Control Panel Items ► BitLocker Drive Encryption 



Seorch Control Panel 



Control Panel Home 



Help protect your files and folders by encrypting your drives 

BitLocker Drive Encryption help: prevent unauthorized access to any files stored on the drives shown below. 
You are able to use the computer normally,, but unauthorized users cannot read or use your file:. 

What should I know about BitLocker Drive Encryption before I turn it on? 



BitLocker Drive Encryption - Hard Disk Drive: 



Encrypting^^X 



Turn Off BitLocker 
^j) Manage BitLocker 



BitLocker Drive Encryption - BitLocker To Go 
LOCKER (DO 
Off 



Turn On BitLocker 



See also 

!§p TPM Administration 

Disk Management 

Read our privacy statement 
online 



LAW ENF 




Encryption in progress ^ 

Encryption of C: by BitLocker Drive Encryption has 
started. Click for more information. 



Enabling BitLocker - OS 



OO* 



« All C... ► BitLock.. 



Control Panel Home 



See also 

@ TPM Administration 

'j^jp Disk Management 

Read our privacy statement 
online 



\ Search Control Panel 



Help protect your files and folders by encrypting your drives 

BitLocker Drive Encryption helps prevent unauthorized access to any files stored on the drives shown 
below. You are ableto use the computer normally,, but unauthorized users cannot read or useyourfiles. 

What should I know about BitLocker Drive Encryption before I turn it on? 



BitLocker Drive Encryption - Hard Disk Drives 



C: 
Off 



Turn On BitLocker 




SD CARD (F:j 
Off 



Turn On BitLocker 
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Questions? 
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Enabling BitLocker "To Go" 
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Enabling BitLocker of USB Stick 



► Control Panel ► All Control Panel Items ► 



Adjust your computer's settings 

Action Center 
Backup and Restore 
Credential Manager 
Desktop Gadgets 
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j j^j Administrative Tools AutoPlay 




BitLocker Drive Encryption 



ilfi"! Date and Time 




h ^P Device Manager 





Color Management 



ffl Default Programs 



Ji Devices and Printers 



Enabling BitLocker of USB Stick 



« All C... ► BitLock... 



Search Control Panel 



Control Panel Home 



See also 

TPM Administration 

§P Disk Management 

Read our privacy statement 
online 



Help protect your files and folders by encrypting your drives 

BitLocker Drive Encryption helps prevent unauthorized access to any files stored on the drives shown 
below. You are ableto use the computer normally,, but unauthorized users cannot read or useyourfiles, 

What should I know about BitLocker Drive Encryption before I turn it on? 
BitLocker Drive Encryption - Hard Disk Drives 



C: 
Off 



Turn On BitLocker 



BitLocker Drive Encryption - BitLocker To Go 
USB THUMB (EO 
Off 



^ On BitLocke^^ 



SD CARD (F:) 
Off 



^u^On BitLocke^^ 
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Enabling BitLocker of USB Stick 



^ BitLocker Drive Encryption (E; 





Starting BitLocker 



Please wait while BitLocker initializes the drive. 



! Do not remove your drive during BitLocker setup. 



What are BitLocker's system requirements? 
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Cancel 
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Enabling BitLocker of USB Stick 




, * K ^J 4f BitLocker Drive Encryption [E:] 



Choose how you want to unlock this drive 

] Use a password to unlock the drive 
Password: should contain upper and lowercase letters, numbers, spaces, and symbols. 



Ty p e yo u r p a sswo rd : 
Rety p e your pa sswo rd : 



~2 Use my smart card to unlockthe drive 
You will need to insert your smart card. The smart card PIN will be required when you unlockthe drive. 



How do I use these options? 



Next 



Cancel 
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Enabling BitLocker of USB Stick 



(\^) % BitLocker Drive Encryption [E: 



Choose how you want to unlock this drive 

|?1 Use a password to unlock the drive 

Passwords should contain upper and lowercase letters, numbers,, spaces, and symbol:, 



Type your password: 
Retype your password: 



r 



^\ Use my smart card to unlock the drive 
You will need to insert your smart card. The smart card PIN will be required when you unlock the drive, 



How do I use these options? 
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Enabling BitLocker of USB Stick 




File Edit Format View Help 



BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected t 
To verify that this is the correct recovery key compare the identification with what is presented on the recover 
Recovery key identification: 3C6062B 5-D6A2-4F 

Full recovery key identification: 3C8062B5-D6A2-4FDC-6E0D-0CF123CDCE88 
BitLocker Recovery Key: 

134882-198068-642180-567545-557920-569041-128777-202840 



rn 
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Enabling BitLocker of USB Stick 




^ BitLocker Drive Encryption (E: 



Are you ready to encrypt this drive? 

You will be a 
Encryption n 
Until encrypl 



BitLocker Drive Encryption 



Encrypting... 

Drive E: 20.3% Completed 




Pause 



! Pause encryption before removing the drive or files on 
the drive could be damaged. 



Start Encrypting 



Cancel 
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Unlocking your BitLocker enabled USB 



Insert USB device into PC and type your 
password when prompted 



NOTE: The 
device can be 
unlocked on any 
Bitlocker To Go 
capable PC if 
you know the 
password 



Microsoft Services 



Unlocking your BitLocker enabled USB 



Insert USB device into PC and type your 
password when prompted 



NOTE: The 
device can be 
unlocked on any 
Bitlocker To Go 
capable PC if 
you know the 
password 



Microsoft Services 



USB is now encrypted... Now what!? 



• If the encrypted USB is formatted with FAT then it 
can be used on down level Operating Systems 

-Win XP 

-Windows Vista 

• How is this possible? These Operating Systems 
did not have Bitlocker to go functionality. 
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ICD 



now encrypted . . . Now what!? 



Virtual Windows XP - Windows Virtual PC 




USB ▼ 



trl+Alt+Del 



7 My Computer 



File Edit 
@Back 



View 



Favorites Tools Help 
5earch 




StSFt My Computer 



^ BitLocker To Go Redder (E:) 



Type your password to unlock this drive 



I I Show password characters 
I forgot my password 

What is the BitLocker To Go Reader? 



Unlock 



Cancel 



e Disk (E:) 



C on DFSQJMAWIN7-PC 



D on DFSQJMAWIN7-PC 



F on DFSQJMAWIN7-PC 



0©® 



I? 



USB is now encrypted... Now what!? 



^ BitLocker To Go Reader (E:) 



Previ 
ToG 
BitLc 
drive 

This 
encr 
and ( 
featu 
mad 



Which files do you want to use? 



Drag and drop files to this computer to view them. 



Date modified 



© Plan to take over the world.txt 5/1/2009 4: 16:23 PM 



Text Document 



How do I use the BitLocker To Go Reader? 



>cker 



;k the 
ad 
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45 

Minutes 



Enabling BitLocker with a Thumb drive as a startup key 



Exercise 
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Enabling BitLocker Encryption of a Thumb drive 



Microsoft Services 

BitLocker Technical 

Details 

Exploration of Windows 7 
Advanced Forensic Topics - Day 3 
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What is BitLocker 



• Review: BitLocker is a mechanism by which 
entire volumes of data can be secured in 
Windows 7: 

-Enterprise 

-Ultimate 

• Why is this important? 

-This mechanism helps to protect systems from 
offline attacks. 

-Tell me again, how do we examine a suspect 
machine? 
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How is BitLocker Implemented 





TPM Only 

"What it is." 
Protects against: 
SW-only attacks 
Vulnerable to : HW 
attacks (including 
potentially "easy" 

HW attacks) 




Donale Only 

"What you have." 

Protects against: 
All HW attacks 
Vulnerable to: 
Losing dongle 
Pre-OS attacks 




******* 



TPM + PIN 

"What you know." 
Protects against: 
Many HW attacks 
Vulnerable to: TPM 
breaking attacks 




TPM + Donale 

"Two what I 
have's." 
Protects against: 
Many HW attacks 
Vulnerable to: HW 
attacks 



Security 
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BitLocker in Windows Vista 



Drive Type 



Operating 
System Drives 



ixed Data 
Drives* 



Unlock 
Methods 



TPM 

TPM+PIN 

TPM+Startup 
key 

TPM+PIN+ 
Startup Key* 

Startup key 



Automatic 
unlocking 




^yuShnHc Management Other requirements 



Methods 



Recovery 
password 

Recovery Key 

Active 
Directory 
backup of 
recovery 
password 



Same as OS 
drive 



Group policy 
controlled 
options 
presented to 
users 




Use of the BitLocker 
Drive Preparation 
Tool to create a 
system partition 
where boot files are 
located. 

System partition size: 
1.5GB 

System partition 
assigned a drive 
letter 

NTFS file system. 

Operating System 
drive must be 
encrypted. 

NTFS file system. 



"Introduced in Windows Vista SP1 
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BitLocker in Windows 7 

Operating system drive overview 



Unlock 
Methods 



MothnH^ Management Other requirements 




Methods 



Recovery 
password 

Recovery Key 

Active 
Directory 
backup of 
recovery 
password 

Data 
Recovery 
Agent 




Drive preparation 
fully integrated in 
BitLocker setup. 

System partition 

size: 
200MB without 
WinRE 
400MB with WinRE 

System partition 
letterless 

NTFS file system. 
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BitLocker in Windows 7 

Setup improvements 

• Windows 7 is BitLocker ready 

-A separate system partition is now standard 

-System partition is now letter-less and hidden 

-BitLocker Drive Preparation Tool now integrated 
into the BitLocker setup experience 

• Improved setup experience 

-Improved BitLocker setup wizard 

-Windows RE will be moved if installed on 
O/S partition 
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BitLocker in Windows 7 

Specifications for split-loader 
confiauration 



Mi 



inaows 
250 MB 
NTFS 



is 




B is required on the recovery pa 



Complete PC backups 





ystem Partition/Windows RE 
400 MB 
NTFS 




OS 

Remaining Disk 
NTFS 
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Windows 7 BitLocker To Go 



Drive Type 


Unlock 
Methods 


Recovery 
Methods 


Management 


Other requirements 


Removable data 


Passphrase 


Recovery 


Robust and 


File systems: 


drives 




password 


consistent 


NTFS 




Smart card 




group policy 


FAT 


e.g.: 




Recovery Key 


controls 


FAT32 


USB flash drives 


Automatic 






ExFAT 




Unlocking 


Active 


Ability to 




External Hard 




Directory 


mandate 




Drives 




backup of 


encryption 








recovery 


prior to 








password 


granting write 










access 








Data 










Recovery 










Agent 
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• Roaming using 
a Passphrase 

- No specific hardware 
requirement 

-Easily roam inside 
and outside 
domains/organizations 

-Complexity and length 
requirements managed 
by Group Policy 




Windows 7 BitLocker To G 

New unlock methods 

• Roaming using Smart Cards 

-Leverages existing PKI 
infrastructure 

-Requires specific hardware 

-Can roam to any computer 
running Windows 7 or Server 
2008 R2 

-Uses much stronger keys than 
passphrase Roaming using a 
Passphrase 
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Windows 7 BitLocker To Go 

New recovery mechanism 



• Data Recovery Agents (DRA) 

- Certificate-based key protector 

>A certificate containing a public key is distributed through Group 
Policy and is applied to any drive that mounts 

>The corresponding private key is held by a DRA in corpsec 

-Allows IT department to have a way to unlock all 
protected drives in an enterprise 

-Leverage existing PKI infrastructure 

-Saves space in AD - same Key Protector on all drives 

-Also applies to O/S and fixed drives 
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Windows 7 BitLocker To Go 

Managing BitLocker 



BitLocker from 
Windows Explorer 

Right click drives in 
Windows Explorer to: 

- Turn on BitLocker 

- Unlock a drive 

- Manage BitLocker 
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Windows 7 BitLocker To Go 

Managing BitLocker removable drives 


• Data Drives 




- Add, remove, or change 
their passphrase 






- Add or remove a smart 
card 

- Add or remove 
automatic unlocking 

- Duplicate their recovery 
key/password 
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Windows 7 BitLocker To Go - Enterprise 

Mandating BitLocker on removable 
drives 

• Requiring BitLocker for removable data drives 

-When this policy is enforced, all removable 
drives will require BitLocker protection in order 
to have write access 

-As soon as a drive is plugged into a machine, 
a dialog is displayed to the user to either 
enable BitLocker on the device or only have 
read-only access 
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Windows 7 BitLocker To Go 

Mandating BitLocker on removable 

drives 

The user gets full RW 

access only after pEma^^^^^^^H 

encryption is 
completed 

Users can 
alternatively enable 
BitLocker at a 
later time 



Your system administrator requires this drive to be protected by 
BitLocker before you can write data to it. 



Protect my drive using BitLocker Drive Encryption 

Your drive will be read-only until encryption is complete 

*fr Use my drive for reading data only 

*fr Use my drive for reading data only and do not ask me this 
again 



What is BitLocker Drive Encryption? 
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Disk Layout and Key Storage 



Operating system volume contains: 

- encrypted OS 

- encrypted page file 

- encrypted temp files 

- encrypted data 

- encrypted hibernation file 



Where's the encryption key? 

- SRK (Storage Root Key) contained 
inTPM 

- SRK encrypts the VMK (Volume 
Master Key). 

- VMK encrypts FVEK (Full Volume 
Encryption Key) - used for the 
actual data encryption. 

- FVEK and VMK are stored 
encrypted on the Operating 
System Volume. 
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BitLocker Explained 



• BitLocker can be implemented in a number of 
ways and can be thought of as a 2 phase 
approach to securing a machine 

-Phase 1 : Pre-OS Validation 

-Phase 2: Full Volume Encryption 

Note: Both phases may not be implemented 
depending on hardware and software versions 
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Drive Encryption Specifics 



• Some of the tenants of BitLocker 

-Once enabled the data on the drive is always 
encrypted unless the volume is decrypted 

-FVEVOL.SYS sits underneath the file system 
driver and performs all encryption / decryption 

-The drive is encrypted a sector at a time and 
supports sector sized from 512 - 8192 bytes 
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Drive Encryption Specifics 

Once enabled the data on the drive is always encrypted unless the 
volume is decrypted 

• The initial process of enabling BitLocker takes a 
while as all of the data on the disk is encrypted. 

• There are 2 options once a drive is encrypted: 

-Disabled: Volume is still encrypted but the VMK 
is stored in the clear (used for updates) 

-Decrypt: Decrypting the drive completely 
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Drive Encryption Specifics 



FVEVOLSYS sits underneath the file system driver and performs all 
encryption / decryption 



Application 



User Mode 
Kernel Mode 




Fvevol.sys 



Manage 



Once booted, Vista 
(and the user) sees 
no difference in 
experience 

The encryption / 
decryption happens 
at a lower level 



Physical Disk 
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Drive Encryption Specifics 



The drive is encrypted a sector at a time and supports sector sized from 
512- 8192 bytes 

• It would be impractical to encrypt the entire drive 
as one blob not to mention unmanageable given 
the number of reads and writes 

• BitLocker encrypts the drive a sector at a time so 
that only the sectors that are being read or 
written have to be manipulated. 
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Microsoft Services 

BitLocker Forensic View (Details 
and Artifacts in BitLocker Data) 

Exploration of Windows Vista 
Advanced Forensic Topics - Day 3 
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Examination of Physical Image 

• Despite the fact that BitLocker implements full 
volume encryption, there are a number of 
locations that contain clear text data 

• The BIOS Parameter Block (BPB) is the first 54 
bytes in the first sector of a volume and has 
volume "signature" data 
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Examination of Physical Image 




Examination of Physical Image 



• In addition to the data in the volume signature 
field, BitLocker stores copies of the metadata in 
other locations. 

• First location is calculated with the following data 
from the signature field: 

MetadataLCN * SectorsPerCluster * BytesPerSector 
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Examination of Physical Image 



Offset Size Field 
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Examination of Physical Image - VISTA 
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• Viewing the volume signature in your favorite 
forensic tool makes the issue very clear 

• Notice the signature "-FVE-FS-" 
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Examination of Physical Image - Win 7 



ooooooooo 

000000010 
000000020 
000000030 
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• Viewing the volume signature in your favorite 
forensic tool makes the issue very clear 

• Notice the signature "-FVE-FS-" 



LAW ENFORCEMENT SENSITIVE INFORMATION - DO NOT SHARE THESE MATERIALS 

©2007 Microsoft Corporation - All Rights Reserved 



Microsoft Services 



Examination of Physical Image - BLTo Go 
DOS -IS THIS RIGHT? 
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• Viewing the volume signature in your favorite 
forensic tool makes the issue very clear 

• Notice the signature "FVE!" 
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Examination of Physical Image - BLTo Go 
NTFS 
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• Viewing the volume signature in your favorite 
forensic tool makes the issue very clear 

• Notice the signature "-FVE-FS-" 
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Examination of the BEK File 



• We can also see the Recovery Key ID number 
(i.e. the GUID like name of the BEK file) 

Offset 56(d), Length 4 bytes (Reversed) 
Offset 60(d), Length 2 bytes (Reversed) 
Offset 62(d), Length 2 bytes (Reversed) 
Offset 64(d), Length 2 bytes (Forward) 
Offset 66(d), Length 6 bytes (Forward) 
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Examination of the BEK File 



Recovery Key: 
ID: {7C6CA4B3- F630-4BE2-A23E-5CF79BADA1 60} 
External Key File Name: 
7C6CA4B3-F630-4BE2-A23E-5CF79BADA160.BEK 
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Examination of the BEK File 



• When implementing BitLocker with a Startup Key 
(USB drive or encrypting a data volume) we can 
get additional information from the file itself. 

-Date of key generation 

-Time of key generation 

Offset 72(d), Length 8 bytes (Little endian) 
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BitLocker Investigative Impact 



• What do investigators have on our side? 

-BitLocker is only available in Windows 
Enterprise and Ultimate SKUs 

-BitLocker has a number of "Recovery" 
scenarios that we can exploit 

-Encryption is "scary" to users (even criminals) 

-BitLocker, at its core, is a password technology, 
we simply have to get the password from our 
suspect or surroundings 
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BitLocker Investigative Impact 

• What do investigators have on our side? 

-We are investigators, and should be aware if 
our suspect is using encryption technology 
prior to entry 

-BitLocker in the Enterprise should have a high 
likelihood of recovery information availability 

-BitLocker protected drives can be mounted and 
examined forensically if we can get in 

-We are the good guys! 
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BitLocker Investigative Impact 



• What do investigators have working against us? 

-BitLocker has very low user interaction after 
the initial setup 

-BitLocker has <5% overhead on performance 

-If used in the TPM + PIN scenario, we need the 
user to provide the PIN or recovery info 

-If used in the TPM + USB scenario, we need 
the USB drive or user supplied recovery info 
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BitLocker Investigative Impact 



• What do investigators have working against us? 

-BitLocker uses US Government grade 
encryption in 128 bit or 256 bit AES keying 

-BitLocker operates at a lower level of the OS 
so security technologies can be layered (EFS) 
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BitLocker Investigative Impact 

• Introduction of this security technology in 
Windows Vista and Windows 7 does not amount 
to an overwhelming blow to the efforts of law 
enforcement 

• As has been true throughout history the dumb 
criminals will be easy to catch and the smart 
ones harder... 
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Questions? 
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Enabling BitLocker on Data volumes 

Exercise 6 
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Mounting BitLocker Protected 

Volumes 

Exploration of Windows 7 
Advanced Forensic Topics - Day 3 
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Requirements - NEED TO TEST Versions 

• Examiner System must be running either 
Windows Win 7 Enterprise or Ultimate 

• BitLocker does NOT have to be enabled on the 
Examiner system 

• All obvious write protection mechanisms should 
be in place - Forensics 101 
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Mounting a BitLocker Drive 



• Investigators can use the recovery mechanisms 
built into the BitLocker mechanism to access the 
protected drive 

• Just like EFS 

WE STILL NEED THE PASSWORD!!! 
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Mounting a BitLocker Drive 



• Physical Mount 

-Install the "suspect" drive as a secondary drive 
through a write blocker 

-Boot to a BitLocker capable version of Win 7 

-Access the BitLocker MMC 

-You should see the "suspect" drive 

-Use the BitLocker recovery process to 
temporarily access the data 



LAW ENFORCEMENT SENSITIVE INFORMATION - DO NOT SHARE THESE MATERIALS 

©2007 Microsoft Corporation - All Rights Reserved 



Microsoft Services 



Mounting a BitLocker Drive 




► Computer ► 



Search Computer 



Organize ▼ System properties Uninstall or change a program Map network drive » 



1^ - a 



T^f Favorites 
E Desktop 
$r Downloads 
^ Recent Places 

Libraries 
_H Documents 
<J> Music 
B Pictures 
H Videos 

Computer 
& Local Disk (CO 
a Local Disk (EO 
J!* SD CARD (FO 
i N J System Reserved (G: 



J Hard Disk Drives (3) 

Local Disk (CO 



43.7 GBfree of 92.9 GB 
System Reserved (GO 




Local Disk [EO 



71.9 MB free of 99.9 MB 

J Devices with Removable Storage (2) 

DVD RW Drive (DO 





SD CARD [FO 



1.87 GBfree of 1.89 GB 



*p Network 



TOYJEEP Domain: northarnerica. corp. micr... Memory: 4.00 GB 
Processor: Intel [R] Core(TM]2 Duo ... 



LAW ENFORCEMENT SENSITIVE INFORMATION - DO NOT SHARE THESE MATERIALS 

©2007 Microsoft Corporation - All Rights Reserved 



Microsoft 



Services 



Mounting a BitLocker Drive 





Control Panel Home 



Help protect your files and folders by encrypting your drives 

BitLocker Drive Encryption helps prevent unauthorized access to any files stored on the drives shown 
below. You are ableto use the computer normally,, but unauthorized users cannot read or use your 
file:. 

What should I know about BitLocker Drive Encryption before I turn it on? 



BitLocker Drive Encryption - Hard Disk Drives 



C: 
Off 



!$) Turn On BitLocker 



H-uUuJI DllvLtlluypLiuii 44jLocker To Go 



On 



Unlock Drive 



See al:c 


SD CARD (R) 


Turn On BitLocker 


TPM Administration 


^ Off 




Disk Management 

Read our privacy statement 
online 


System Reserved (G:] 
0ff 


Turn On BitLocker 



LAW ENFORCEMENT SENSITIVE INFORMATION - DO NOT SHARE THESE MATERIALS 

©2007 Microsoft Corporation - All Rights Reserved 



Microsoft 



Services 



BitLocker Drive Encryption (E:] 



Unlock this drive using your recovery key 

If you dont remember your password or you dont have your smart card, you can use your recovery 
key to unlock the drive. 

Your recovery key was created when Bit Locker was firet set up. The recovery key might have been 
saved or printed, or you might need to get it from your system administrator (depending on your 
company's security policy}. 

Your recovery key can be identified by: FB5FS5C2 



+ Get the key from a USB flash drive 




lype the recovery key 




Cancel 
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Mounting a BitLocker Drive 




^ BitLocker Drive Encryption [E:] 



Enter your recovery key 



Type your BitLocker recovery key: 



34D5D1 - E9B4D1 -49761 4M70S2IK163€3&-27731 0-58555^ 



' ^ 1 Less information 



Full BitLocker recovery key identification: 
FB SF55C2-91 3&47B(^B6AB-EB5C4304AF72 



[ Ned: 



Cancel 



CD 
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BitLocker Drive Encryption [E:] 



You now have temporary access to this drive 

The drive is unlocked but it will be locked again if you remove it or turn off your computer. 
You should change your password or your unlocking method by clicking Manage BitLocker. 



^ Manage BitLocker 



Finish 



\TERIALS 



Mounting a BitLocker Drive 



(^(_) « All C... ► BitLocker.. 



Control Panel Home 



See also 

TPM Administration 

Disk Management 

Read our privacy statement 
online 



Search Control Panel 



Help protect your files and folders by encrypting your drives 

BitLocker Drive Encryption helps prevent unauthorized access to any files stored on the drives shown 
below. You are able to use the computer normally, but unauthorized users cannot read or use your 
files. 

What should I know about BitLocker Drive Encryption before I turn it on? 



BitLocker Drive Encryption - Hard Disk Drives 



C: 
Off 



Turn On BitLocker 




BitLocker Drive Encryption - BitLocker To Go 




Turn Off BitLocker 
Manage BitLocker 



SD CARD [R] 
Off 



Turn On BitLocker 



System Reserved (G:) 
Off 



Turn On BitLocker 
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O CD 



CD O 
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Organize T System properties Uninstall or change a program Map network drive » 
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Bitlocker "Cold Boot" attack? 



^ Prevent memory overwrite on restart 



pj Prevent memory overwrite on restart 



£revious Setting 



Next Setting 



(*) Not Configured 
O Enabled 
Disabled 



Options: 



Comment: 



Supported on: At least Windows Vista 



Help: 



This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. 
This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material 
used to encrypt data. This policy setting applies only when BitLocker protection is enabled. 

If you enable this policy setting,, memory will not be overwritten when the computer restarts. 
Preventing memory overwrite may improve restart performance but will increase the risk of 
exposing BitLocker sec re 




OK 



Cancel 



Apply 



Questions? 
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Microsoft Services 

Tools for Dealing with 
BitLocker Evidence 

Exploration of Windows 7 
Advanced Forensic Topics - Day 3 
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BitLocker Aware Forensic Tools 

• Some tools already handle disk images of 
encrypted drives provided the investigator has 
recovery or startup key material 
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Alternatives 



• If the tool used does not support BitLocker, an 
investigator should obtain 2 images of the 
suspect system 

-Physical - To allow for booting and testing 
-Logical - To allow for examination in the tool 
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Alternatives 



• The increase in use of encryption and the 
number of most technically savvy criminal 
necessitates the move from traditional offline only 
forensic to a hybrid online / offline approach 
where two sets of data are collected and 
examined. 
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Dealing with BitLocker on a 

Live System 

Exploration of Windows Vista 
Advanced Forensic Topics - Day 3 
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Manage-BDE 



• In Vista this tool was a script. Manage-BDE.WSF 

• In Win7 it was converted to an EXE. 

• C:\Windows\System32\Manage-BDE.exe 

• Manage-BDE and Repair tool are now part of 
Windows PE, Windows RE and Windows 7 
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Manage-BDE 



• This tool can manage every aspect of BitLocker 
on a system 

-Encrypt drives 

-Lock and Unlock drives 

-Decrypt drives 

-Manage BitLocker Keys 

-View Recovery Key information 
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Manage-BDE 

• Viewing if BitLocker is enabled on any drive on a 
live system: 

Note: You must run as Administrator 
manage-bde -status 



LAW ENFORCEMENT SENSITIVE INFORMATION - DO NOT SHARE THESE MATERIALS 

©2007 Microsoft Corporation - All Rights Reserved 



Microsoft Services 



Manage-BDE 




Manage-BDE 



• What about recovery information? 

manage-bde -protectors -get c: 

Note: You will need to run this for all drives 
attached to the system, i.e. 

manage-bde -protectors -get d: 
manage-bde -protectors -get e: 




LAW ENFORCEMENT SENSITIVE INFORMATION - DO NOT SHARE THESE MATERIALS Microsoft Services 

©2007 Microsoft Corporation - All Rights Reserved 



Manage-BD 







J V-/ 1 V-/ 

itLocker Drive Encryption: Configuration Tool version 6.1 .7072 






opyright (C) Microsoft Corporation. All rights reserved. 






olume C: [] 






II Key Protectors 






External Key: 






ID: {B2EDF460-234E-40D4-8F2D-1 4DC4D29722C} 






External Key File Name: 






B2EDF460-234E-40D4-8F2D-14DC4D29722C.BEK 






Numerical Password: 






ID: {738C71 C6-8CEA-4273-81 EC-8A2F23A7DF21 } 






Password: 






2901 03-627220-601 392-70991 8-47581 6-546480-1 89739-1 8504 
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Manage-BDE 



We can even unlock the drive with the manage- 
bde tool. 

Remember unlocking the drive leaves the data 
encrypted but simply stores the Volume Master 
Key (VMK) in the clear so the system can boot 
without a startup key 



manage-bde -unlock c: 
manage-bde -autounlock -enable c: 
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Forensic First Responders 



• Inclusion of this tool in any first responder toolkit 
is a must. 

• A script can be leveraged to detect BitLocker on 
a live system and automatically obtain Recovery 
Key data and/or unlock the drive 
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Questions? 
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Mounting BitLocker Protected Volumes for Preview 

Exercise 
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Imaging Implications for BitLocker Protected Drives 

Exercise 
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Examining File system Signatures of BitLocker Protected Volumes 

Exercise 
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BitLocker in 



Drive Type Unlock Methods 



Operating 
System Drives 




Da 
Inch 



Data Drives 
Includes fixed 
and removable 



TPM+PIN 

>M+Startup k< 

TPM+PIN+ 
Startup Key 

Startup key 



Passphrase 
Smart Card 
Automatic 



Recovery 
Methods 

Recovery 
password 

Recovery Key 

Active Directory 
backup of 
recovery 
password 

Domain 
Recovery Agent 

Same as OS 
drives 
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at a Glance 



Management Other requirements 



)nsistent Gro 

Policy 
enforcement 

Minimum Pir 
Length 



Drive preparation fully 
integrated in BitLocker 
setup. 

System partition size: 
200MB without WinRE 
400MB with WinRE 

System partition 
letterless 



Robust and 
onsistent groi 
policy control! 

Ability to 
mandate 
mcryption pric 
d granting wrii 
access 



NTFS file system. 

File systems: 
NTFS 
FAT 
FAT32 
ExFAT 



frtfwi/oi/fc 



